© 2023 CyberNews - Latest tech news,
product reviews, and analyses.

Charming Kitten targets nuclear security experts in “unending espionage quest”

The Iran-linked threat actor is going after nuclear and Middle East region experts to conduct cyberespionage campaigns.

Charming Kitten – also referred to as TA453, APT42, Mint Sandstorm, and Yellow Garuda – is a threat actor linked to Iran. It stands out in its attempts to compromise high-value accounts in government, academia, NGOs, national security, and journalism.

Recently, the group has been going after nuclear and Middle East experts in what researchers at cybersecurity company Proofpoint called an “unending espionage quest.” The threat actor apparently impersonates well-known and reputable experts to lure victims into its trap.

In mid-May, a public media contact for a nuclear security expert at a US-based think tank focused on foreign affairs got a seemingly benign email from a senior fellow with the Royal United Services Institute (RUSI).

The victim was asked for feedback on a project called “Iran in the Global Security Context,” and requested permission to send a draft for review. As you might suspect, threat actors are spreading malware functioning as espionage modules though documents such as Microsoft Word with macros.

“As seen in one of TA453’s most recent campaigns, the threat actor-initiated contact with its target using a benign email and later used multi-persona impersonation, listing additional experts to establish rapport with the target,” Proofpoint said.

Charming Kitten email
Initial TA453 approach using a benign email. By Proofpoint
Charming Kitten seemingly benign email
TA453 multi-persona impersonation approach in a follow-on email. By Proofpoint

Proofpoint assesses that Charming Kitten acts in support of the Islamic Revolutionary Guard Corps (IRGC), specifically the IRGC Intelligence Organization (IRGC-IO).

According to experts, the threat actor significantly adapts its infection chain to complicate detection efforts and conduct espionage without interruption.

“The use of Google Scripts, Dropbox, and CleverApps demonstrate that TA453 continues to subscribe to a multi-cloud approach in its efforts to likely minimize disruptions from threat hunters. (...) Regardless of the infection method, TA453 continues to deploy modular backdoors in an effort to collect intelligence from highly targeted individuals,” Proofpoint said.

More from Cybernews:

AI singularity: waking nightmare, fool’s dream, or an answer to prayers?

ChatGPT disables web browsing after reports that it bypassed paywalls

Indiana University breach exposed nearly 250K user records

Manufacturing exposed: over half of IT managers tackling costly ransomware attacks

Twitter killer on the loose: Meta unleashes rival app Threads

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are marked